Cyber Incident Victim: CareFirst BlueCross BlueShield
Date:
Mar 2018
Location:
United States of America
Summary
A phishing attack compromised an employee email account at CareFirst BlueCross BlueShield, potentially exposing personal information of approximately 6,800 members, including names, member IDs, birthdates, and a limited number of Social Security numbers. No medical or financial data was accessed. The attackers used the breached account to send spam to external recipients unrelated to the insurer. Forensic analysis found no evidence of malware in the phishing email or subsequent spam activity, and no additional unauthorized system access was identified. While there was no indication of data misuse, the organization offered affected individuals complimentary credit monitoring and identity theft protection services for two years as a precautionary measure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 12, 2018, CareFirst BlueCross BlueShield discovered that an employee had fallen victim to a phishing email attack, resulting in the compromise of the employee's email account. The unauthorized actors leveraged this access to distribute spam emails to individuals unaffiliated with CareFirst. While the spam campaign targeted external recipients, the breach created potential exposure for approximately 6,800 CareFirst members whose personal information resided within the compromised email system. The accessible data included member names, identification numbers, and dates of birth, with Social Security numbers exposed in eight instances. No medical records, financial details, or clinical information were accessed during the incident.
CareFirst initiated an immediate investigation upon detecting the breach, engaging forensic specialists to analyze affected systems. The examination confirmed the phishing email contained no malware payload and identified no evidence of malicious software deployment within CareFirst's network. Investigators found no indications that attackers moved laterally beyond the single compromised email account or accessed other organizational systems. While no misuse of member data was verified, CareFirst implemented protective measures by offering impacted individuals two years of complimentary credit monitoring and identity theft protection services. The company publicly disclosed the incident on March 30, 2018, emphasizing the absence of broader system infiltration or data exploitation beyond the initial email account compromise.